Threat Research Blog

Threat Actors Using Mandiant APT1 Report as a Spear Phishing Lure

It was only a matter of time. Today, Mandiant learned of at least two malicious versions of our APT1 report that attempt to lure users into opening PDF documents titled "Mandiant" and "Mandiant_APT2_Report." We are currently tracking the threat actors behind the activity and have no indication that APT1 itself is associated with either variant.

Symantec and Brandon Dixon's 9B+ blog uncovered the two permutations of the report. Hashes for the malicious PDFs are available on their blogs. Thanks to both for posting their findings.

Mandiant has not been compromised. Reports downloaded, previously and currently from our website, do not contain exploits.

We recommend that you only retrieve Mandiant's reports from:, then check the hash of the downloaded files against the hashes posted on our web site.